Professional Documents
Culture Documents
Third-Party Risk
Management
Table of Contents
Introductioniii
What is a Third-Party? 2
www.upguard.com ii
Introduction
If you’re currently outsourcing to third-party entities, you’re increasing your risk
exposure to a data breach. Each of your vendors has some level of access to your
internal systems, so if one of them suffers a data breach, they could quickly turn
from a trusted partner into a critical attack vector.According to the 2022 Cost of a
Data Breach report by IBM and the Ponemon Institute, vulnerabilities in third-party
software (one of many third-party risk categories) were the third most expensive
data breach attack vector in 2022, resulting in damages of up to USD 4.55 million
(an increase of 13% compared to 2021). An effective Third-Party Risk Management
Program reduces vendor security risks leading to data breaches, which also reduces
the risk of costly damages associated with these events.
https://www.ibm.com/reports/data-breach
www.upguard.com iii
Getting Started with
Third-Party Risk
Management
www.upguard.com 1
Getting Started with Third-Party Risk
What is a Third-Party?
A third party is any entity that your organization works with. This includes suppliers,
manufacturers, service providers, business partners, affiliates, distributors,
resellers, agents, and vendors.
A third party is a supplier, vendor, partner, or other entity doing business directly
with your organization, whereas a fourth party is the third party of your third party.
Fourth parties (or "Nth parties") reflect relationships deeper in the supply chain that
are potential avenues to your sensitive resources through your third parties.
www.upguard.com 2
Getting Started with Third-Party Risk
1. Third parties aren't typically under your control, nor do you have complete
transparency into their security controls. Some vendors have robust security
standards and good risk management practices, while others leave much to be
desired.
2. Each third party is a potential attack vector for a data breach or cyber attack.
A vendor with a security vulnerability could be exploited to gain access to your
organization. The more vendors you use, the larger your attack surface and the
higher the risk of being impacted by third-party breaches.
3. General data protection and data breach notification laws like GDPR, CCPA,
FIPA, PIPEDA, the SHIELD Act, and LGPD are increasing their inclusion of
TPRM-related controls and standards, which means there are now financial
repercussions for inadequate TPRM efforts.
www.upguard.com 3
Getting Started with Third-Party Risk
88%
An increasing emphasis on third-party risk
management in both regulations and cyber
security frameworks is driven by increasing
vendor-related security risks. Currently,
approximately thirty percent of data 88% of organizations have low
breaches are caused by third parties. This confidence in the quality of
concerning statistic will only grow as these their TPRM process.
attacks evolve in complexity and further
outgrow outdated TPRM models.
30%
TPRM programs need to adapt to the
fast-evolving third-party risk landscape.
Organizations that implement such an
innovative TPRM model invest, not only
in their current state of cyber threat 30% of data breaches are
resilience, but also in their future growth. directly caused by third parties.
With the impact of third-party data
breaches gaining weight in risk analysis
calculations, it's the businesses with a
proven TPRM program that will win the
60%
profitable partnership opportunities of the
near future.
www.upguard.com 4
Getting Started with Third-Party Risk
While TPRM could address all third-party risks (similar to a Digital Risk
Protection Service), this effort is commonly concerned with third-party
security risks.
www.upguard.com 5
Do You Need a Third-Party Risk
Management and a Vendor Risk
Management solution?
A third-party cybersecurity program should include both a TPRM and VRM
component since each discipline focuses on a specific scope of risk management.
Vendors, with their ongoing access to sensitive systems, require a unique degree
of risk monitoring, both on an attack surface and regulatory compliance levels.
Contractors, customers, and other third parties introduce a more nuanced set
of security risks that can only be effectively managed with a dedicated risk
management program.
By applying tailored risk mitigation efforts across two primary categories of third-
party attack vectors - vendors and third-party entities, the combination of a TPRM
and VRM program gives organizations the most comprehensive protection against
third-party breaches and other forms of cyberattacks involving third parties.
www.upguard.com 6
The Third-Party Risk
Management Lifecycle
www.upguard.com 7
The Third-Party Risk Management Lifecycle
80% 66%
Third-party vendors are performing Third-party vendors are increasingly
new technology services. providing services outside of the
company's core business model.
www.upguard.com 8
The Third-Party Risk Management Lifecycle
TPRM Lifecycle
Ongoing management of evolving third-party security risks is possible with the
following 5-stage TPRM lifecycle.
1. Risk Planning
• Evaluate your third-party risk appetite - Based on acceptable inherent and
residual risks. This risk appetite will likely be modified after onboarding when
applicable regulatory and compliance requirements are considered in greater
detail. After such considerations, final alignment with your risk threshold
could be measured with resultant residual risk ratings.
• Evaluate and determine how to best tier your vendors - This is an important
step that’s often overlooked. Tiering vendors based on the information they
will have access to, the product/service they’re providing, or their regulatory/
compliance requirements will help you determine the level of risk monitoring
and due diligence each vendor requires. Intelligent vendor tiering will also
help you track the reassessment (or recertification) schedules of each
vendor grouping.
• Confirm the validity of due diligence processes - All due diligence risk
assessments should be confirmed with a security rating scoring system
based on multiple attack vectors.
www.upguard.com 9
The Third-Party Risk Management Lifecycle
2. Due Diligence
• Determine critical due diligence questions - Multiple data sources should
be referenced when designing these questionnaires, including previous
quarterly risk reports, internal audit reports, industry standards/regulations,
and previously completed risk assessments.
• Evaluate each vendor’s inherent risk score - Before considering any third-
party security controls that will be required in a partnership arrangement,
a security risk baseline should be established through a simple risk
assessment or questionnaire. This will help you determine the level of
controls needed to keep each vendor's risk exposure within your risk
appetite limits.
• Confirm the validity of due diligence processes - All due diligence risk
assessments should be confirmed with a security rating scoring system
based on multiple attack vectors.
3. Contract Negotiations
• Establish security standards in vendor contracts - This will depend on the
jurisdiction you operate in.
www.upguard.com 10
The Third-Party Risk Management Lifecycle
• Consider adding a 'Right to Audit' clause in vendor contracts - This will give
you the right to review each vendor’s internal security processes, audits, self-
assessments, and controls.
• Review stipulated SLAs - To ensure the standards meet your business and
compliance requirements.
4. Ongoing Monitoring
• Implement continuous attack surface monitoring - Implement systems that
track the performance and status of all third-party security controls that are
in place.
www.upguard.com 11
The Third-Party Risk Management Lifecycle
5. Termination
• Revise user access list after offboarding and contract termination - Revoke
all data access and perform a final review of security policy and regulatory
standard compliance.
www.upguard.com 12
The Third-Party Risk Management Lifecycle
Adding a feedback loop creates an iterative model that can adapt to any changes
in risk appetites, security policies, regulatory compliance standards, and business
relationships.
The updated TPRM lifecycle model can also consider special third-party risks falling
outside of the cybersecurity category, also known as special categories of risk.
Special categories (or non-traditional categories) of risk include entities that have
the potential of becoming third-party breach attack vectors despite not commonly
being targeted by cybercriminals.
www.upguard.com 13
The Third-Party Risk Management Lifecycle
www.upguard.com 14
How to Evaluate
Third-Party Risks
www.upguard.com 15
How to Evaluate Third-Party risks
How to Evaluate
Third-Party Risks
There are various solutions and methods that exist for evaluating third parties.
Generally, senior management and the board will decide on the best methods to
choose, depending on your industry, number of vendors, and information security
policies.
Security Ratings
Security ratings are an increasingly popular part of third-party risk management.
They can help with the following:
Security Questionnaires
Security questionnaires (or third-party risk assessments) are designed to help you
identify potential weaknesses among your third-party vendors, business partners,
and service providers that could result in a data breach.
www.upguard.com 16
How to Evaluate Third-Party risks
Penetration Testing
Penetration testing (also known as pen testing and ethical hacking) is the practice
of testing a computer system, network, or web application's cybersecurity to
discover exploitable security vulnerabilities. Pen-testing third-party vendor
solutions could uncover overlooked third-party risks.
www.upguard.com 17
Common
Challenges of
Third-Party Risk
Management
www.upguard.com 18
Common Challenges of TPRM
Lack of Speed
It's no secret that getting a vendor to complete a security questionnaire and
processing the results can be a lengthy process. A process that is made worse
when questionnaires come in the form of dense spreadsheets with no version
control, resulting in an error-prone, time-consuming, and impractical process that
doesn't scale.
Lack of Depth
Many organizations make the mistake of believing they don't need to monitor
low-risk third parties, such as marketing tools or cleaning services. But in a threat
landscape that’s quickly evolving towards third-party cyberattacks, all vendors
- even the most innocuous - are potential attack vectors, either through direct
cyberattack methods, like security vulnerability exploitations, or indirect methods,
such as phishing emails purporting to come from trusted vendors.
www.upguard.com 19
Common Challenges of TPRM
Lack of Visibility
Security questionnaires alone reveal the effectiveness of a given vendor's security
controls for a single point in time. However, IT infrastructures are in constant flux,
and the positive results of a given security assessment may not accurately reflect
that vendor's security posture a few months into the future. This is why security
ratings are usually used alongside traditional risk assessment techniques.
Lack of Consistency
Ad-hoc third-party risk management processes mean that not all vendors are
monitored, and when they are, they are not held to the same standard as other
vendors.
While it's recommended to assess critical vendors more heavily than non-critical
vendors, it's still important to assess all vendors against the same standardized
checks to ensure nothing falls through the cracks.
Lack of Trackability
Keeping track of which vendors have been sent security questionnaires and
completion rates across a network of hundreds or thousands of third parties is a
considerable challenge.
Lack of Engagement
Continuously reminding vendors to complete their risk assessments is probably the
most frustrating component of third-party risk management, especially when these
reminders keep getting lost within ever-expanding inboxes.
www.upguard.com 20
Integrating
a TPRM with
your Existing
Cybersecurity
Framework
www.upguard.com 21
Integrating a TPRM with your Existing Cybersecurity Framework
The following 8-step process will help you map your existing risk controls to a TPRM
program. This generic process is compatible with most cybersecurity frameworks.
The flow of your sensitive data through third-party processes, and each vendor’s
level of sensitive data access, can be evaluated with risk assessments.
www.upguard.com 22
Integrating a TPRM with your Existing Cybersecurity Framework
Updating your ERM framework should trigger an update of all your risk registers
across each department. Every business unit across most industries utilizes some
degree of third-party service, so every business unit should have a risk register.
If you come across any risk registers that have recently been updated, check to
make sure their risk data is based on the most updated list of third-party vendors
and products in use.
After updating a risk register, always confirm its alignment with the risk
appetite outlined in your ERM framework.
Your updated risk appetite should be defined at an organizational level and feed
into every business unit. This will set an objective risk threshold that every business
register is measured against, allowing critical third-party risks at a department level
to be easily identified.
www.upguard.com 23
Integrating a TPRM with your Existing Cybersecurity Framework
When writing each TPRM policy, it’s important to consider your internal third-
party risk requirements (as outlined in your ERM framework) and the compliance
requirements of any relevant regulatory standards.
Relevant regulatory standards include those that pertain to your industry and the
industries of each of your vendors.
A list of popular compliance standards to support your TPRM policy writing efforts:
www.upguard.com 24
Integrating a TPRM with your Existing Cybersecurity Framework
• Highlighting the risks within your appetite and those falling outside of the
threshold.
• Identifying all of the security controls your third-party vendors are expected to
implement
Your choice of questionnaire depends on your unique compliance and cyber threat
mitigation requirements outlined in your ERM framework.
www.upguard.com 25
Integrating a TPRM with your Existing Cybersecurity Framework
Identify all of the regulations that apply to you and your third-party vendors. To
support this effort, the list below identifies all of the third-party security controls for
popular cybersecurity frameworks and regulations.
• 8.3 • 15.1
• 9.9.3 • 15.2
• 12.3.9
Sarbanes-Oxley Compliance (SOX)
• 12.3.10
• APO10.01/APO10.02
• 12.8
• APO10.03
• 12.8.1
• APO10.04
• 12.8.2
HITRUST CSF
• 12.8.3
• 5.02 External Parties
• 12.8.4
• 05.i Identification of Risks Related to
• 12.8.5
External Parties
www.upguard.com 26
Integrating a TPRM with your Existing Cybersecurity Framework
For your TPRM program to be effective, it should prioritize vendors with the highest
potential of negatively impacting your security posture. A vendor tiering policy
supports this requirement by grouping critical vendors in the same tier, making their
cybersecurity impact the primary focus of attack surface monitoring efforts.
www.upguard.com 27
Level Up Your Third-Party Risk
Management with UpGuard
Prevent third-party breaches, discover potential vendor risks, and track regulatory
compliance all from a single award-winning solution.
We're here to help, shoot us an email at sales@
upguard.com
www.upguard.com 650 Castro Street, Suite 120-387, Mountain View CA 94041 United States
+1 888-882-3223
© 2023 UpGuard, Inc. All rights reserved. UpGuard and the UpGuard
logo are registered trademarks of UpGuard, Inc. All other products or
services mentioned herein are trademarks of their respective companies.
Information subject to change without notice.